Issue with port forwarding https/webmail

kkm

Hi!

I'm new to this forum, so I hope this is the right place for the post.

We have a firewall running pfsense 2.0 RC2. We have an email server running Mac Lion 10.7 that has webmail set up on it using a self-signed SSL certificate. Internally, webmail connections work using https on port 443. No other ports are needed internally for webmail to work. Externally (outside of the firewall), web browsers will not connect to the webmail unless port 143 (unencrypted IMAP) is also port forwarded to the webmail server. It seems like the firewall is un-encrypting the ssl as it passes through

Here is the rule that we have for webmail:

Dest. Addr Dest. ports Nat IP Nat Ports
* 25000 server 443

We are using port 25000 as the destination port since we have other https connections on the standard ports already going to other servers. Also, we are connecting directly to the firewall external interface with https://firewall-ip-address:25000/webmail to access the server.

Is there another setting that we should be using to allow port forwarding for SSL connections? I will be happy to supply anything else needed for troubleshooting. Thanks!

toomeek

I don't understand what do U mean.
I have SSL NATed already - Webmin, HTTPS, SSH, all works fine..
Just add an entry in DNS Forwarder?
Then host will be reachable in LAN like over WAN dns entry, but using internal IP.

pfSense_ports.png_thumb

pfsense_dnsforwarder.png_thumb

cmb

The firewall can't unencrypt traffic. Nothing in a web browser will require IMAP being open, though I'm not familiar with how that particular webmail functions. What you're doing there is generally fine.

kkm

Hi! Thanks for the replies. We actually have DNS set up internally and have external DNS servers configured as well.

That is good to know that the firewall won't be un-encrypting SSL traffic.

Thanks!